Transfer-Encoding and XSS from Ricardo Iramar dos Santos on 2018-09-17 (public-webappsec@w3.org from September 2018)

From: Ricardo Iramar dos Santos <riramar@gmail.com>
Date: Mon, 17 Sep 2018 13:16:26 -0300
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAE5Wca3qLymXy68d-BHu5GNABoQKx6qGw6R5Bw+4umeXLVHXQA@mail.gmail.com>

Hi All,

I know Transfer-Encoding request header per specification (xmlhttprequest
and fetch) cannot be defined by the user so I'm trying to check when the
browsers use it. I've already google it but I couldn't find something
really clear.
What I'm trying to achieve is check if it's possible to an attacker exploit
a XSS using a cross domain request take advantage of this PHP issue
https://bugs.php.net/bug.php?id=76582. Basically what happens is if a
Apache+PHP server receive a POST request with "Transfer-Encoding: chunked"
header the request body is reflected on the response body.

Thanks!
Ricardo Iramar

Received on Monday, 17 September 2018 16:17:01 UTC